CVE-2019-16667

Name of the Vulnerable Software and Affected Versions pfSense version 2.4.4-p3

Description The issue allows for CSRF, potentially enabling the execution of OS commands. This is demonstrated through the txtCommand or txtRecallBuffer field in the diag command.php file. The csrf callback() function is involved, producing a "CSRF token expired" error along with a Try Again button when a CSRF token is missing.

Recommendations For pfSense version 2.4.4-p3, consider restricting access to the diag command.php file to minimize the risk of exploitation. As a temporary workaround, avoid using the txtCommand or txtRecallBuffer fields in the diag command.php file until a patch is available.